Phantom Squatting: When Attackers Camp on the Domains LLMs Hallucinate
Unit 42 documents a pre-positioning tactic where actors register non-existent domains that chatbots keep suggesting, then wait for the traffic to arrive.

Large language models make things up. Sometimes those things are URLs.
Unit 42 is calling the resulting abuse pattern "phantom squatting," and by their account it's already showing up in the wild. The mechanics are straightforward. An LLM confidently recommends a login page, a support portal, or a package name that doesn't exist. An attacker, watching for exactly that class of hallucination, registers the domain first. When the next user follows the same suggestion, they land on infrastructure the adversary controls.
It's typosquatting with a new upstream. Instead of banking on human misspellings, the operator bets on model output.
Unit 42's writeup — available here — frames this as opportunistic rather than targeted, at least for now. Traffic quality is the appeal. A victim arriving via an AI assistant's recommendation is primed to trust the destination, which lifts the click-through rate on credential harvesting and drive-by malware pages above what generic phishing lures pull in.
Attribution here is thin. No public reporting has tied phantom squatting to a specific tracked cluster, and the technique's low barrier to entry means it's likely being tested by a wide mix of actors — commodity phishers, initial access brokers, and possibly state-aligned crews looking for cheap collection. Assess with low confidence that any single group owns the tradecraft. The overlap with existing domain-abuse TTPs (bulk registration, cheap TLDs, fast-flux hosting) is heavy, which is part of why it blends in.
The software supply chain angle deserves its own note. Coding assistants routinely hallucinate package names on npm, PyPI, and other registries. Researchers have been warning about "slopsquatting" — malicious packages registered under those hallucinated names — for over a year. Phantom squatting is the web-domain cousin of that same failure mode. Same root cause, different payload surface.
What defenders can do is limited but not zero.
For enterprise environments, treat AI-assistant output as untrusted input. Route chatbot-suggested URLs through the same secure web gateway inspection you'd apply to email links. Newly registered domain (NRD) filtering catches a meaningful slice of this activity because phantom squats are, by definition, freshly acquired. On the developer side, lockfiles and internal package mirrors blunt the slopsquatting variant.
The deeper problem is that LLM providers have limited incentive to fix hallucination at the URL layer, and no clean way to do it without breaking legitimate outputs. Filtering to only known-good domains would kneecap the assistants' usefulness. Adding a live existence check helps, but attackers can pre-register faster than models retrain.
Expect this to get worse before instrumentation catches up. Detection engineers should start pulling AI-referrer telemetry now if their proxies expose it. That's where the signal will live.



